Subject: Re: debian, ipw2200 and wlan0
Newsgroups: gmane.linux.drivers.ipw2100.devel
Date: 2005-02-07 02:07:54 GMT (5 years, 2 days, 16 hours and 12 minutes ago)
Henrik Brix Andersen <brix <at> gentoo.org> wrote:
>On Fri, 2005-02-04 at 01:54 +0000, Pedro Ramalhais wrote:
>> The ifname options is obviously a "hack"...
>This hack is to be removed in ipw2100-1.0.5 and ipw2200-1.0.1.
Please keep the ifname option, and preferably change the default
interface name back to "eth%d".
I want all my net interfaces to have eth* names so I can set up a
firewall using iptables like that below. Note in particular this line:
/sbin/iptables -A block -m state --state NEW -i ! eth+ -j ACCEPT
which means "accept a new connection unless it's coming from an
interface with name starting 'eth'" - in other words, accept new
connections unless they're coming from outside. My notebook may be
connected by Ethernet (eth0) or by 802.11b/g. If the latter interface
is named wlan0, then I don't know how to write the iptables command.
(It won't accept more than one -i flag.)
If there's another way please let me know.
- Jim Van Zandt
# based on "Rusty's Really Quick Guide To Packet Filtering" in
# The "Linux 2.4 Packet Filtering HOWTO"
# by Paul 'Rusty' Russel <rusty <at> rustcorp.com.au>
#
# this file is sourced by /etc/init.d/firewall
IFACES="eth0 eth1"
# we accept incoming connections to these ports - e.g. 22=ssh
ACCEPTED_TCP="ssh 137 138 139"
ACCEPTED_UDP="137 138 139"
## drop IDENT requests silently
IGNORED_TCP="113"
## drop netbios broadcasts silently
# 1319=panja-icsp Internet Control System Protocol (see Panja, NetLinx)
IGNORED_UDP="513 bootpc bootps 1319 ipp"
## Create chain "block" which blocks new connections unless coming from inside.
/sbin/iptables -N block
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -m state --state NEW -i ! eth+ -j ACCEPT
for IFACE in $IFACES; do
for p in $IGNORED_TCP; do
/sbin/iptables -A block -i $IFACE -m state --state NEW \
-p tcp --destination-port $p -j DROP
done
for p in $IGNORED_UDP; do
/sbin/iptables -A block -i $IFACE -m state --state NEW \
-p udp --destination-port $p -j DROP
done
## permit pings
/sbin/iptables -A block -i $IFACE -p icmp -j ACCEPT
## permit some connections
for p in $ACCEPTED_TCP; do
/sbin/iptables -A block -i $IFACE -m state --state NEW \
-p tcp --destination-port $p -j ACCEPT
done
for p in $ACCEPTED_UDP; do
/sbin/iptables -A block -i $IFACE -m state --state NEW \
-p udp --destination-port $p -j ACCEPT
done
## log any other packets
/sbin/iptables -A block -i $IFACE -m limit -j LOG \
--log-level warning --log-prefix "Dropping packet: "
done
/sbin/iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -j block
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl